kibana_system role missing read permissions for metrics-apm-* and logs-apm-*

[uvNikita]

Kibana version:
8.10.2

Elasticsearch version:
8.10.2

Original install method (e.g. download page, yum, from source, etc.):
ECK

Describe the bug:

kibana_system role currently has read permissions for traces-apm-*, but missing for logs-apm-* and metrics-apm-*.

APM application in Kibana is configured following these steps: https://www.elastic.co/guide/en/kibana/current/apm-spaces.html

This results in the following error in "Observability -> APM -> Settings -> Agent Configuration" tab: "The list of agent configurations could not be fetched. Your user may not have the sufficient permissions"

Browser Network tab shows the following failing request:

GET https://<kibana-url>/s/<kibana-space>/api/apm/settings/agent-configuration
{
  "statusCode": 500,
  "error": "Internal Server Error",
  "message": "security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [indices:data/read/search] is unauthorized for service account [elastic/kibana] on indices [metrics-apm-<kibana-space>], this action is granted by the index privileges [read,all]",
  "attributes": {
    "data": {},
    "_inspect": []
  }
}

Steps to reproduce:

1. Configure APM following these steps: https://www.elastic.co/guide/en/kibana/current/apm-spaces.html
2. Navigate to "Observability -> APM -> Settings -> Agent Configuration"
3. See permission Error

Alternatively, just check for missing permissions by sending GET _security/role/kibana_system

Expected behavior:
Should be able to see and create APM agent configuration.

Errors in browser console (if relevant):

GET https://<kibana-url>/s/<kibana-space>/api/apm/settings/agent-configuration
{
  "statusCode": 500,
  "error": "Internal Server Error",
  "message": "security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [indices:data/read/search] is unauthorized for service account [elastic/kibana] on indices [metrics-apm-<kibana-space>], this action is granted by the index privileges [read,all]",
  "attributes": {
    "data": {},
    "_inspect": []
  }
}

Any additional context:
See also Case #01503117

[elasticmachine]

Pinging @elastic/apm-ui (Team:APM)

[sorenlouv]

It is very surprising to me that the route GET /api/apm/settings/agent-configuration would attempt to access any other index than .apm-agent-configuration. If it does it sounds like a bug (or a side effect I haven't considered).

Either way thanks for bringing this to our attention, and thanks for opening a PR!

[uvNikita]

@sqren So I tried to follow the trace where access to other indexes than .apm-agent-configuration would be made and I think you are right, at it's unnecessary.

Keep in mind that it's my first look at kibana source code, so probably someone else should double check this findings.

What I found so far:

• /api/apm/settings/agent-configuration is defined here:

  kibana/x-pack/plugins/apm/server/routes/settings/agent_configuration/route.ts

  Line 69 in 6327ab3

  const getSingleAgentConfigurationRoute = createApmServerRoute({

• it then proceeds with getting all configured APM indexes:

  kibana/x-pack/plugins/apm/server/routes/settings/agent_configuration/route.ts

  Line 81 in 6327ab3

  const apmIndices = await resources.getApmIndices();

• it then creates internalESClient with those indexes and calls findExactConfiguration with this new client
• findExactConfiguration is defined here:

  kibana/x-pack/plugins/apm/server/routes/settings/agent_configuration/find_exact_configuration.ts

  Line 19 in 6327ab3

  export async function findExactConfiguration({

• it send query with index set to APM_AGENT_CONFIGURATION_INDEX

  kibana/x-pack/plugins/apm/server/routes/settings/agent_configuration/find_exact_configuration.ts

  Line 35 in 6327ab3

  index: APM_AGENT_CONFIGURATION_INDEX,

• this index name is statically defined here:

  kibana/x-pack/plugins/apm/server/routes/settings/apm_indices/apm_system_index_constants.ts

  Line 8 in 0f3382f

  export const APM_AGENT_CONFIGURATION_INDEX = '.apm-agent-configuration';

So it doesn't seem to be necessary to create internalESClient with all APM configured indexes since they are not used anyway. My guess is the error will be gone if removing indexes from the call here (I haven't checked it):

kibana/x-pack/plugins/apm/server/routes/settings/agent_configuration/route.ts

Line 83 in 6327ab3

const internalESClient = await createInternalESClientWithContext({

Looking at this code, it seems like there is also no way for us to see configuration only for services in the current kibana space (service environment). It would be a nice feature to make APM_AGENT_CONFIGURATION_INDEX configurable in the same way as other APM indexes are, but that's probably outside of the scope of this issue (?)

Let me know if there is anything else I can do. I can give it a shot at trying to remove those indexes from createInternalESClientWithContext call, but you probably would want someone with more experience with kibana code to do it anyway?

[jeramysoucy]

Thank you, @uvNikita! From the Kibana Security team's perspective, we would prefer resolving this issue without having to augment kibana_system index access privileges. We typically only make exceptions for these types of indices when access is needed to support telemetry purposes. In this case, it seems like access is required only as a side effect of the current implementation.

@sqren Could someone from APM investigate further and provide some guidance to @uvNikita?

[sorenlouv]

Thank you for the writeup @uvNikita. I think you are right, that apmIndices should be removed from createInternalESClientWithContext since it's just passed through and never used. I hope to get a PR up to fix this soon.

That being said, I couldn't reproduce the issue. Most likely because I'm using the default setup where metrics are written to metrics-apm.* and logs to metrics-apm.*. It looks like in your case, you are writing to metrics-apm-*. Is that intentional?

@elastic/apm-server Does above sound right, that by default we write to metrics-apm.* and not to metrics-apm-*?

[uvNikita]

@sqren Thanks for looking into it!

Yes, we are using <beat>-*-<kibana-space> template for all our indexes, including APM ones. It all works correctly except APM agent config, so would be nice to get rid of apmIndices since they are not needed anyway.

[sorenlouv]

@uvNikita It looks like we will need your PR and that this cannot be fixed in Kibana. In getConfigsAppliedToAgentsThroughFleet the metrics index (metrics-apm*) is queried. Since this may run in the background (and not within a request context), it'll run as the kibana system user, so this user must have access to the metric index.

kibana/x-pack/plugins/apm/server/routes/settings/agent_configuration/get_config_applied_to_agent_through_fleet.ts

Lines 13 to 18 in 34bdce9

	export async function getConfigsAppliedToAgentsThroughFleet(
	internalESClient: APMInternalESClient
	) {
	const params = {
	index: internalESClient.apmIndices.metric,
	size: 0,

[uvNikita]

@sqren Good find!

[kpatticha]

@sqren Thanks for looking into it!

Yes, we are using <beat>-*-<kibana-space> template for all our indexes, including APM ones. It all works correctly except APM agent config, so would be nice to get rid of apmIndices since they are not needed anyway.

The PR is merged #170733.

[smith]

Since #170733 is merged does that mean the PR to elasticsearch is still needed?

[sorenlouv]

Since #170733 is merged does that mean the PR to elasticsearch is still needed?

Yes. That PR turned out not to have an impact on this problem but the refactor was still an improvement. The original problem will either need to be fixed via changes to documentation, or a change to how agent configurations are retrieved.

The problem in a nut shell is that the internal kibana user is querying user configurable indices. This means that if the user changes the indices to something non-standard, we cannot the internal user will not have permissions to query these.

[sorenlouv]

Opened a PR for fixing this in #173001. This replaces elastic/elasticsearch#101467